wermgr.exe

  • File Path: C:\WINDOWS\SysWOW64\wermgr.exe
  • Description: Windows Problem Reporting

Hashes

Type Hash
MD5 481E9D9BA530530EFE3C8871DEAEF37F
SHA1 EE512080700F76363732778C422B412AB2568CCC
SHA256 E66F5BD21473B17267FC1558C0BC91277ACB5A00235DF8F6C6DE9EB5325E2861
SHA384 65C744A8E2A6A2C8148E66E19A574577B6555BB8C0F1A1A8322B1588AC617796BAD8FF80EE5D11D592D82CF19FC90C04
SHA512 9DD514F2829CBE958A626CA10B31E2035A5FF8C0F1EB170FFA5DDE34D37A331BABBF0549FFD2997FC6F37F1783612EA8099CD1FCE38CE0A2B020C15460FB881A
SSDEEP 6144:msVFVSHm0qTiCH+/e47U5Bhl6ZKjUWQE12KOXVJyB60OHyLC7vX9a:jVh3KoBhMZKjUzEFOlc2Hyw/0

Signature

  • Status: Signature verified.
  • Serial: 3300000266BD1580EFA75CD6D3000000000266
  • Thumbprint: A4341B9FD50FB9964283220A36A1EF6F6FAA7840
  • Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename: WerMgr
  • Product Name: Microsoft Windows Operating System
  • Company Name: Microsoft Corporation
  • File Version: 10.0.18362.836 (WinBuild.160101.0800)
  • Product Version: 10.0.18362.836
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.

File Similarity (ssdeep match)

File Score
C:\Windows\system32\Faultrep.dll 38
C:\windows\system32\WerFault.exe 41
C:\Windows\system32\WerFault.exe 32
C:\Windows\system32\WerFault.exe 36
C:\Windows\system32\WerFault.exe 41
C:\Windows\system32\WerFaultSecure.exe 44
C:\Windows\system32\WerFaultSecure.exe 40
C:\WINDOWS\system32\WerFaultSecure.exe 40
C:\Windows\system32\WerFaultSecure.exe 43
C:\Windows\system32\WerFaultSecure.exe 44
C:\Windows\system32\WerFaultSecure.exe 44
C:\Windows\system32\WerFaultSecure.exe 44
C:\Windows\system32\WerFaultSecure.exe 43
C:\WINDOWS\system32\WerFaultSecure.exe 38
C:\Windows\system32\WerFaultSecure.exe 46
C:\Windows\system32\wermgr.exe 40
C:\Windows\system32\wermgr.exe 40
C:\Windows\system32\wermgr.exe 44
C:\WINDOWS\system32\wermgr.exe 40
C:\WINDOWS\system32\wermgr.exe 44
C:\Windows\system32\wermgr.exe 36
C:\Windows\system32\wermgr.exe 44
C:\Windows\system32\wermgr.exe 41
C:\Windows\system32\wermgr.exe 46
C:\Windows\system32\wermgr.exe 44
C:\Windows\system32\wermgr.exe 41
C:\windows\system32\wermgr.exe 46
C:\Windows\system32\werui.dll 43
C:\Windows\SysWOW64\WerFault.exe 38
C:\windows\SysWOW64\WerFault.exe 32
C:\Windows\SysWOW64\WerFaultSecure.exe 41
C:\Windows\SysWOW64\WerFaultSecure.exe 36
C:\Windows\SysWOW64\WerFaultSecure.exe 41
C:\Windows\SysWOW64\WerFaultSecure.exe 35
C:\WINDOWS\SysWOW64\WerFaultSecure.exe 41
C:\WINDOWS\SysWOW64\WerFaultSecure.exe 40
C:\Windows\SysWOW64\WerFaultSecure.exe 41
C:\Windows\SysWOW64\WerFaultSecure.exe 41
C:\Windows\SysWOW64\WerFaultSecure.exe 36
C:\Windows\SysWOW64\WerFaultSecure.exe 44
C:\Windows\SysWOW64\wermgr.exe 40
C:\windows\SysWOW64\wermgr.exe 40
C:\Windows\SysWOW64\wermgr.exe 44
C:\Windows\SysWOW64\wermgr.exe 38
C:\WINDOWS\SysWOW64\wermgr.exe 38
C:\Windows\SysWOW64\wermgr.exe 41
C:\Windows\SysWOW64\wermgr.exe 36
C:\Windows\SysWOW64\wermgr.exe 41
C:\Windows\SysWOW64\werui.dll 41

Possible Misuse

The following table contains possible examples of wermgr.exe being misused. While wermgr.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma proc_creation_win_cve_2021_26857_msexchange.yml - 'wermgr.exe' DRL 1.0
sigma proc_creation_win_malware_trickbot_wermgr.yml description: Detects Trickbot malware process tree pattern in which rundll32.exe is parent of wermgr.exe DRL 1.0
sigma proc_creation_win_malware_trickbot_wermgr.yml - '\wermgr.exe' DRL 1.0

MIT License. Copyright (c) 2020-2021 Strontic.